Transcription
Integrating Imperva SecureSpherePublication Date: November 30, 2015
Integrate Imperva SecureSphereAbstractThis guide provides instructions to configure Imperva SecureSphere to send the syslog events toEventTracker.ScopeThe configurations detailed in this guide are consistent with EventTracker version 7.X and later, and ImpervaSecureSphere 8 and later.AudienceImperva SecureSphere users, who wish to forward syslog events to EventTracker manager.The information contained in this document represents the current view of EventTracker. on theissues discussed as of the date of publication. Because EventTracker must respond to changingmarket conditions, it should not be interpreted to be a commitment on the part of EventTracker,and EventTracker cannot guarantee the accuracy of any information presented after the date ofpublication.This document is for informational purposes only. EventTracker MAKES NO WARRANTIES,EXPRESS OR IMPLIED, AS TO THE INFORMATION IN THIS DOCUMENT.Complying with all applicable copyright laws is the responsibility of the user. Without limiting therights under copyright, this paper may be freely distributed without permission fromEventTracker, if its content is unaltered, nothing is added to the content and credit toEventTracker is provided.EventTracker may have patents, patent applications, trademarks, copyrights, or other intellectualproperty rights covering subject matter in this document. Except as expressly provided in anywritten license agreement from EventTracker, the furnishing of this document does not give youany license to these patents, trademarks, copyrights, or other intellectual property.The example companies, organizations, products, people and events depicted herein are fictitious.No association with any real company, organization, product, person or event is intended orshould be inferred. 2017 EventTracker Security LLC. All rights reserved. The names of actual companies andproducts mentioned herein may be the trademarks of their respective owners.1
Integrate Imperva SecureSphereTable of ContentsAbstract . 1Pre-requisites . 3Configurations . 3To create audit events action set . 3To create security events action set. 6Configure audit policies to send the events to EventTracker . 9Configure security policies to send the events to EventTracker . 10Import Imperva Knowledge Pack into EventTracker . 11To import Category. 11To import Alerts. 12To import Scheduled Reports . 14Verify Imperva Knowledge Pack in EventTracker . 15Verify Imperva categories . 15Verify Imperva alerts . 16Verify Imperva Scheduled Reports . 172
Integrate Imperva SecureSpherePre-requisites EventTracker should be installedImperva SecureSphere 8 (or later) should be installed.Per Imperva console needs one ‘Syslog Device’ license.ConfigurationsSecureSphere can send security events and audit events to EventTracker. The following section describes howto configure SecureSphere to send syslog messages to EventTracker. For this, the required configurations areas below: Create Audit Events action setCreate Security Events action setConfigure Audit policesConfigure security policiesTo create audit events action set1. Log on to IMPERVA SECURE SPHERE.2. Click the Policy tab, and select Action Sets.3. Click Create newicon on the Action Set pane.IMPERVA opens Action set dialog box.Figure 14. Enter the Name of the action set.For example: Forward audit events to EventTracker.5. From the Apply to event type dropdown, select an event type as Audit, and then click the Createbutton.The newly created action set appears in the Action Set pane.3
Integrate Imperva SecureSphereFigure 26. Click the green arrow to expand Gateway Syslog Log audit events to System Log (Gateway Syslog)action interface.Figure 37. Expand Selected Actions, and type EventTracker in the Name field.8. Configure the action parameters as given in below table.4
Integrate Imperva SecureSphereParameter nameValue Protocol Select UDP\TCP option Primary Host IP address of EventTracker server. Primary Port By default, EventTracker will listen to port number 514. Secondary Host Optional Secondary Port Optional Syslog Log Level Select log level from the dropdown. In case of ‘Audit’ event, enter the placeholder as below: Imperva Inc. SecureSphere {SecureSphereVersion} EventTime {Event.createTime}; Event Type {Event.struct.eventType}; ServerGroup {Event.serverGroup}; Service Name {Event.serviceName}; ApplicationName {Event.applicationName}; Database UserName {Event.struct.user.user};User Group {Event.struct.userGroup}; UserAuthenticated {Event.struct.user.authenticated}; ApplicationUserName {Event.struct.applicationUser}; SourceIP {Event.sourceInfo.sourceIp}; Source Port {Event.sourceInfo.sourcePort};Source Application {Event.struct.application.application}; OSUserName {Event.struct.osUser.osUser}; SourceHostName {Event.struct.host.host}; Service Type {Event.struct.serviceType} ;Destination IP {Event.destInfo.serverIp}; DestinationPort {Event.destInfo.serverPort}; Operation {Event.struct.operations.name};Operation Type {Event.struct.operations.operationType}; ObjectName {Event.struct.operations.objects.name}; ObjectType {Event.struct.operations.objectType};Subject {Event.struct.operations.subjects.name}; DatabaseName {Event.struct.databases.databaseName}; SchemaName {Event.struct.databases.schemaName}; TableGroup {Event.struct.tableGroups.displayName}; SensitiveOperation {Event.struct.tableGroups.sensitive}; PrivilegedOperation {Event.struct.operations.privileged}; StoredProcedure n {Event.struct.complete.completeSuccessful}; Responsesize {Event.struct.complete.responseSize}; Responsetime {Event.struct.complete.responseTime}; Effectedrows {Event.struct.query.affectedRows}; ExceptionMessage {Event.struct.complete.errorValue}; Parsed Message5
Integrate Imperva SecureSphereQuery {Event.struct.query.parsedQuery}; RawQuery {Event.struct.rawData.rawData} Facility 9. Click the Save iconSelect appropriate option from the dropdown.10. Click the Save icon.The settings are saved and newly created action set will appear under Selected Actions.Figure 4To create security events action set1. Log on to IMPERVA SECURE SPHERE.2. Click the Policy tab, and select Action Sets.3. Click Create newicon on the Action Set pane.IMPERVA opens Action set dialog box.4. Enter the name of the action set.For example: Forward security events to EventTracker.5. From the Apply to event type dropdown, select an event type as Security, and then click the Createbutton.The newly created action set appears in the Action Set pane.6
Integrate Imperva SecureSphereFigure 56. Click the green arrow to expand Log to System Log (syslog) (System Log EventTracker) actioninterface.Figure 67. Expand Selected Actions, and type EventTracker in the Name field.8. Configure the action parameters as given in below table.7
Integrate Imperva SecureSphereParameter nameValue Syslog Host IP address of EventTracker server. Syslog Log Level Select log level from the dropdown. In case of ‘Security’ event, enter the placeholder as below: Imperva Inc. SecureSphere {SecureSphereVersion} AlertTime {Alert.createTime}AlertType {Alert.alertType}; Alert Name {Alert.alertMetadata.alertName}; AlertSeverity {Alert.severity}; Alert Action {Alert.immediateAction}; DestinationIP {Event.destInfo.serverIp}; Destination Port {Event.destInfo.serverPort};User {Alert.username}; Source IP {Event.sourceInfo.sourceIp}; SourcePort {Event.sourceInfo.sourcePort}; Protocol {Event.sourceInfo.ipProtocol};category Alert; Policy {Rule.parent.displayName}; ServerGroup {Alert.serverGroupName}; Service Name {Alert.serviceName};Application {Alert.applicationName}; Description {Alert.description} Select appropriate option from the dropdown. Message Facility Run on Every Event 9. Click the Save iconClick this checkbox, to get the notification on every security alert.10. Click the Save icon.The settings are saved and newly created action set will appear under Selected Actions.Figure 78
Integrate Imperva SecureSphereConfigure audit policies to send the events toEventTracker1. Click the Policy tab, and select Audit.Figure 82. In the Audit Polices pane, select Default Rule – All Events option.3. Move to right pane, and click Apply to tab.4. Select the systems/sites, for which you wish to send the events.5. Click External logger tab.Figure 96. Select the newly created audit event action set (Ex. Forward audit events to EventTracker) in thedropdown.7. Click Save icon to save the settings.9
Integrate Imperva SecureSphereConfigure security policies to send the eventsto EventTrackerThe Syslog message can be sent with the following action upon the occurrence of a security or an auditevent. The action set defined for audit/security events, will be used as following action.1. Click the Policy tab, and select Security.2. In the Policies pane, select the policy for which you wish to enable following action.3. In the Policy Rules tab, select the appropriate policy rule.4. Click the Enabled checkbox next to the policy rule.5. Select the Severity level.6. Select Action from the dropdown.7. In the Followed Action dropdown, select the custom created action set for audit\security events.Figure 108. Click Save icon to save the settings.10
Integrate Imperva SecureSphereImport Imperva Knowledge Pack intoEventTracker1. Launch EventTracker Control Panel.2. Double click Import Export Utility icon, and then click the Import tab.3. Import Category/ Alert/Reports as given below.To import Category1. Click Category option, and then click the browsebutton.Figure 112. Locate the All Imperva DAM group of categories.iscat file, and then click the Open button.11
Integrate Imperva SecureSphere3. Click the Import button to import the categories.EventTracker displays success message.Figure 114. Click the OK button and then click the Close button.To import Alerts1. Click Alert option, and then click the browseFigure 1312button.
Integrate Imperva SecureSphere2. Locate the All Imperva DAM group of alerts.isalt file, and then click the Open button.3. Click the Import button to import the alerts.EventTracker displays success message.Figure 144. Click the OK button and then click the Close button.13
Integrate Imperva SecureSphereTo import Scheduled Reports1. Click Reports option, and then click the browsebutton.Figure 152. Locate the All Imperva DAM defined analysis report.issch file, and then click the Open button.3. Click the Import button to import the scheduled reports.EventTracker displays success message.Figure 164. Click the OK button, and then click the Close button.14
Integrate Imperva SecureSphereVerify Imperva Knowledge Pack inEventTrackerVerify Imperva categories1. Logon to EventTracker Enterprise.2. Click the Admin dropdown, and then click Categories.3. In the Category Tree, expand Imperva group folder to see the imported categories.Figure 1715
Integrate Imperva SecureSphereVerify Imperva alerts1. Logon to EventTracker Enterprise.2. Click the Admin dropdown, and then click Alerts.3. In the Search field, type ‘Imperva’, and then click the Go button.Alert Management page will display all the imported Imperva alerts.Figure 184. To activate the imported alerts, select the respective checkbox in the Active column.EventTracker displays message box.Figure 1916
Integrate Imperva SecureSphere5. Click the OK button, and then click the Activate now button.NOTE: You can select alert notification such as Beep, Email, and Message etc. For this, select the respectivecheckbox in the Alert management page, and then click the Activate Now button.Verify Imperva Scheduled Reports1. Logon to EventTracker Enterprise.2. Go to Reports.3. Click the Defined option.EventTracker displays the Defined reports.Figure 20Here you can find imported scheduled reports such as ‘Imperva DAM-Database native auditing change’report.4. Search ‘Imperva’ in search box.5. EventTracker displays Flex reports of all Imperva reports.17
6 Integrate Imperva SecureSphere Query {Event.struct.query.parsedQuery}; Raw Query {Event.struct.rawData.rawData} Facility Select appropriate option from the dropdown. 9. Click the Save icon . 10. Click the Save icon . The settings are saved and newly created action set will appear under Selected Actions. Figure 4
